Researchers at the Fraunhofer institute has done some interesting research on physical access attacks on iPhones and iPads. Turns out, if you have physical access to a turned off and locked iOS device, the process of getting all passwords on the phone boils down to three simple steps:
- Jailbreak it, thus getting SSH access
- Copy a specially crafted keychain access script
- Execute script
No cracking or cryptanalysis involved.
The keychain is the iOS place for password storage, and it encrypts all its secrets using AES-256.
The attack works by using system calls to unlock different parts of the keychain. You would think that this requires an user to enter his password, but for typical time-sensitive services as network connections and VPN tunnels, a security tradeoff has been made, and no password is needed to decrypt the secrets.
As an example, GMail passwords were found to be protected and required the user passcode, but WPA keys for wireless access and Microsoft Exchange passwords were not. It’s also worth mentioning that getting access to one password often means getting access to others, since users are prone to re-use their passwords or store passwords in other password-protected places such as email accounts.
Bottom line is; if you loose your device, initiate a change of all your passwords.
Full paper here.